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Abstract 

A subset of a set of terminals that observe correlated signals seek to compute a given function of 

^^ , the signals using public communication. It is required that the value of the function be kept secret from 

I an eavesdropper with access to the communication. We show that the function is securely computable 

^ ' if and only if its entropy is less than the "aided secret key" capacity of an associated secrecy generation 

model, for which a single-letter characterization is provided. 

!>■ ; 

Index Terms 

Aided secret key, balanced coloring lemma, function computation, maximum common function, 
jy^ ' omniscience, secret key capacity, secure computability. 

o ■ 

I. Introduction 

^ ■ In an online auction, m — 1 bidders acting independently of each other, randomly place one of k 

2_2. ' bids on a secure server. After a period of independent daily bidding, the server posts a cryptic message 

'NT ■ 

Q^ . on a public website. Our results show that for m > k + 1, such a message exists from which each 



(N 



bidder can deduce securely the highest bids, but no message exists to allow any of them to identify 
securely the winners. 



o 

C^ I In general, suppose that the terminals in A4 = {!,..., m} observe correlated signals, and that a 

subset A= {1, . . . , a} of them are required to compute "securely" a given (single-letter) function g of 
all the signals. To this end, following their observations, all the terminals are allowed to communicate 

^^ ■ interactively over a public noiseless channel of unlimited capacity, with all such communication being 

S , observed by all the terminals. The terminals in A seek to compute g in such a manner as to keep 

its value information theoretically secret from an eavesdropper with access to the public interterminal 
communication. See Figure [T] A typical application arises in a wireless network of colocated sensors 
which seek to compute a given function of their correlated measurements using public communication 
that does not give away the value of the function. 

Our goal is to characterize necessary and sufficient conditions under which such secure computation 
is feasible. We formulate a new Shannon theoretic multiterminal source model that addresses the 
elemental question; When can a function g be computed so that its value is independent of the public 
communication used in its computation! 
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Fig. 1. Secure computation of g 
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We establish that the answer to this question is innately connected to a problem of secret key (SK) 
generation in which all the terminals in A4 seek to generate "secret common randomness" at the largest 
rate possible, when the terminals in A'^' = M./A are provided with side information for limited use, 
by means of public communication from which an eavesdropper can glean only a negligible amount of 
information about the SK. The public communication from a terminal can be any function of its own 
observed signal and of all previous communication. Side information is provided to the terminals in A'^ 
in the form of the value of g, and can be used only for recovering the key. Such a key, termed an aided 
secret key (ASK), constitutes a modification of the original notion of a SK in lfT4l . HI, ||6l, Q- The 
largest rate of such an ASK, which can be used for encrypted communication, is the ASK capacity C. 
Since a securely computable function g for A will yield an ASK (for M.) of rate equal to its entropy 
H, it is clear that g necessarily must satisfy H < C. We show that surprisingly, _ff < C is a sufficient 
condition for the existence of a protocol for the secure computation of g for A. When all the terminals 
in M seek to compute g securely, the corresponding ASK capacity reduces to the standard SK capacity 
for TW 161, Q. We also show that a function that is securely computed by A can be augmented by 
residual secret common randomness to yield a SK for A of optimum rate. 

We also present the capacity for a general ASK model involving arbitrary side information at the 
secrecy-seeking set of terminals for key recovery alone. Its capacity is characterized in terms of the 
classic concept of "maximum common function" [Sl. Although this result is not needed in full dose for 
characterizing secure computabiUty, it remains of independent interest. 

We do not tackle the difficult problem of determining the minimum rate of public communication 
needed for the secure computation of g, which remains open even in the absence of a secrecy constraint 



ifTTI . Nor do we fashion efficient protocols for this purpose. Instead, our mere objective in this work is 
to find conditions for the existence of such protocols. 

The study of problems of function computation, with and without secrecy requirements, has a long 
and varied history to which we can make only a skimpy allusion here. Examples include: algorithms for 
exact function computation by multiple parties (cf. e.g., 1201 . ||9l, ifTOI ): algorithms for asymptotically 
accurate (in observation length) function computation (cf. e.g., ifTSl . lfT3l ): exact function computation 
with secrecy (cf. e.g., ifTTl ): and problems of oblivious transfer lfT6l . JSJ. 

Our results in Section HHl are organized in three parts; capacity of ASK model; characterization of 
the secure computability of g; and a decomposition result for the total entropy of the model. Proofs are 
provided in Section |IV] and concluding remarks in Section |V] 

II. Preliminaries 

Let Xi, . . . , X,n, rn > 2, be rvs with finite alphabets Xi, . . . , <¥,„, respectively. For any nonempty 
set A C A^ = {1, . . . , m}, we denote Xa = {Xi, i G A). Similarly, for real numbers Ri, . . . , i?,„ 
and A C A4, we denote Ra = {Ri, i G A). Let A'^ be the set A4\A. We denote n i.i.d. repetitions 
of Xm = {Xi, . . . , Xrn) with values in Xm = A"! x . . . x Xm by X]^ = (Xf , . . . , X," ) with values 
in A'jJ^ = A"" X ... X A",". Following ||6l, given e > 0, for rvs U,V, we say that U is e- recoverable 
from V if Pr {U ^ f{V)) < e for some function f{V) of V. All logarithms and exponentials are with 
respect to the base 2. 

We consider a multiterminal source model for secure computation with public communication; this 
basic model was introduced in ||6| in the context of SK generation with pubhc transaction. Terminals 
1, . . . ,m observe, respectively, the sequences X", . . . , X^, of length n. Let g : Xm — > !V be a given 
mapping, where J^ is a finite alphabet. For n> 1, the mapping g"" : X^ — > 3^" is defined by 

9'^{x'm) = {g{xil, . . . ,Xmi), . . . ,g{xin, . ■ . ,Xmn)), 
Xm ~ (^1 ; ■ • ■ 1 x^) S Xj^ . 

For convenience, we shall denote the rv g" {X^) by G'^,n > 1, and, in particular, G^ ~ g {Xm) 
simply by G. The terminals in a given set ^ C A^ wish to "compute securely" the function g"{xM) 
for Xm in AXi ■ To this end, the terminals are allowed to communicate over a noiseless public channel, 
possibly interactively in several rounds. Randomization at the terminals is permitted; we assume that 
terminal i generates a rv Ui, i G Ai, such that Ui, . . . , Um and X]^ are mutually independent. While 
the cardinahties of range spaces of Ui,i G M., are unrestricted, we assume that H {Um) < co- 
Definition 1. Assume without any loss of generality that the communication of the terminals in M 
occurs in consecutive time slots in r rounds; such communication is described in terms of the mappings 

/1I5 • ■ • 1 Jl7n: J2I: ■ • ■ 5 J27ni • ■ • 7 Jrl: • • • : Jrmi 

with fji corresponding to a message in time slot j by terminal i, 1 < j < r, 1 < i < m; in general, 
fji is allowed to yield any function of {Ui,X") and of previous communication described in terms of 
{fki '■ k < j, I £ M or k = j, I < i}. The corresponding rvs representing the communication will be 



depicted collectively as 

F = {Fii, . . . , Fim,F2i, . . . , F2m, ■ ■ ■ , Fri, . . . , Frm}, 

where F = ¥'-"■'> {Umt^m)- ^ special form of such communication will be termed noninteractive 
communication if F = (i^i, ..., F,n), where Fi = fi {X"), i € M. 

Definition 2. For e„ > 0,n > 1, we say that g is en-securely computable (e„- SC) by (the terminals 
in) a given set ^ C A^ with |.4| > 1 from observations of length n, randomization Um ^nd public 
communication F = F'"-', if 

(i) g" is e„- recoverable from (t/i,X", F) for every i <E A, i.e., there exists gf'' satisfying 

Pr {gP{U,,X^,Y) ^ G") < e„, * e A (D 

and 

(ii) g" satisfies the "strong" secrecy conditioiu 

/(G" A F) < e„. (2) 

By definition, an e„-SC function g is recoverable (as g") at the terminals in A and is effectively 
concealed from an eavesdropper with access to the public communication F. 

Definition 3. We say that g is securely computable by A if g is e„- SC by A from observations of 
length n, suitable randomization Um and public communication F, such that lim e„ = 0. 

n 

III. When is g securely computable? 

We consider first the case when all the terminals in A4 wish to compute securely the function g, 
i.e., A = M. Our result for this case will be seen to be linked inherently to the standard concept of SK 
capacity for a multi terminal source model 161, Q, and serves to motivate our approach to the general 
case when AQ M. 

Definition 4. ||6l, Q For e„ > 0,ri > 1, a function K of {Um^X^J^) is an en-secret key (e„-SK) 
for (the terminals in) a given seO A' (= M with \A'\ > 2, achievable from observations of length n, 
randomization Um and public communication F = F^"-'(t/A4,X_JJ^) as above if 

(i) K is e„ -recoverable from {Ui,X",F) for every i € A'; 
(ii) K satisfies the "strong" secrecy condition 

log |/C| - H{K I F) = log |/C| - H{K) + I{K A F) < e„, (3) 

where K — /C'"-' denotes the set of possible values of K. The SK capacity C{A') for A' is the largest 
rate lim (1/n) log |/C^"^| of e„-SKs for A' as above, such that lime„ = 0. 

n n 

'The notion of strong secrecy for SK generation was introduced in 1151 , and developed further in O, JSj. 
^For reasons of notation that will be apparent later, we distinguish between the secrecy seeking set A! '^ M and the set 
-4 C A^ pursuing secure computation. 



Remarks, (i) The secrecy condition (O is tantamount jointly to a nearly uniform distribution for K (i.e., 
log \IC\ — H{K) is small) and to the near independence of K and F (i.e., I{K A F) is small), 
(ii) For the trivial case \A'\ = 1, clearly C{A') = H{Xa')- 

A single-letter characterization of the SK capacity C(A') is provided in ||6l, l?)- 
Theorem 1. ||6l, i?] The SK capacity C{A') equals 

C{A')^H{Xm)-Rco{A'), (4) 

where 

m 

RcoiA')^ min V i?, (5) 

with 

TZ{A')^(rm-Rb>H{Xb\Xb^), B^M,A'^b\. (6) 

Furthermore, the SK capacity can be achieved with noninteractive communication and without recourse 
to randomization at the terminals in A4. 

Remark. The SK capacity C{A') is not increased if the secrecy condition (O is replaced by either of 
the following weaker requirements |j lfT4l . ||6l: 

i/(ifAF)<e„ and - (log |/C| - ff(ir)) < e„, (7) 

n n 

or 

-I{K A F) < e„ and limsup - log |/C| < oo. (8) 

n n n 

We recall from that Rco{A') has the operational significance of being the smallest rate of 
"communication for omniscience" for A', namely the smallest rate lim (l/ri) log HF*^"']! of suitable 

n 

communication for the terminals in Ai whereby X''J^ is e„ -recoverable from {Ui,Xl\F") at each 
terminal i € A', with lime„ = 0; here ||F'")|| denotes the cardinality of the set of values of F'"'. 

n 

Thus, Rco{A') is the smallest rate of interterminal communication among the terminals in Ai that 
enables every terminal in A' to reconstruct with high probability all the sequences observed by all the 
other terminals in Ai with the cooperation of the terminals in Ai/A'. The resulting omniscience for A' 
corresponds to total "common randomness" of rate H{Xj^). The notion of omniscience, which plays 
a central role in SK generation for the multiterminal source model ||6|, will play a material role in the 
secure computation of g as well. 

Noting that g" : XJ^ — > y^ implies 

-\og\g'^{Xl,)\<\og\XMl (9) 

n 



3, 



When randomization at the terminals in M is not permitted, the converse proof in (6) uses only the first part of Q or {Sjl. 
When randomization is allowed, since the cardinality of the range space of Ujvi is unrestricted, the converse proof in |6l uses 
additionally the second part of or ([Sj. 



a comparison of the conditions in (|2l |9]l and (O that must be met by a securely computable g and a 
SK K, respectively, shows for a given g to be securely computable, it is necessary that 

H{G) < C{M). (10) 

Remarkably, it transpires that H{G) < C{M) is a sufficient condition for g to be securely computable, 

and constitutes our first result. 

Theorem 2. A function g is securely computable by A4 if 

H{G) < C{M). (11) 

Conversely, if g is securely computable by Ai, then H{G) < C{AA). 

Theorem [2] is, in fact, a special case of our main result in Theorem |5] below. 
Example 1. Let m ~ 2, and let Xi and X2 be {0, l}-valued rvs with 

Pxi(l)=P=l-Pxi(0), 0<p<l, 
Px,\xA^ I 1) = Px,\xAO I 0) = 1 - <5, < <5 < i. 

Let g(xi , a;2) = xi + a;2 mod 2. 

From m, m (andalsoTheorem[T]above), C({1,2}) = /i(p*(5)-/i(^), wherep*(5= {l-p)S + 
p{l — S). Since H(G) = h{5), by Theorem|2]g is securely computable if 

2h{S) <h{p*S). (12) 

We give a simple scheme for the secure computation of g when p = i, that relies on Wyner's well- 
known method for Slepian-Wolf data compression ||T9l and a derived SK generation scheme in ll22ll . 
II2TI . We can write 

X[' = X^' + G" mod 2 (13) 

with G" being independent separately of X2 and X". We observe as in |fT9ll that there exists a 
binary linear code, of rate ^ 1 — h{S), with parity check matrix P such that X", and so G", is 
e„ -recoverable from (FijX^') at terminal 2, where the Slepian-Wolf codeword Fi ~ PX" constitutes 
public communication from terminal 1, and where e„ decays to exponentially rapidly in n. Let G" be 
the estimate of G" thereby formed at terminal 2. Further, let K = K{Xi) be the location of X" in the 
coset of the standard array corresponding to P. By the previous observation, K too is e„ -recoverable 
from {Fi,X'2) at terminal 2. From 1221 . II2TI . K constitutes a "perfect" SK for terminals 1 and 2, of 
rate = I{Xi A X2) = I — h{S), and satisfying 

IiKAFi) = 0. (14) 

Also, observe from ^ that K = K{X^) = X(X^' + G") and Fi = Fi{X^) = Fi(X^' + G"), and 
for each fixed value of G", the (common) arguments of K and Fi have the same distribution as X". 



Hence by (fT4] l. 

I{K A Fi, G") = I{K A i^i I G") = 0, (15) 

since I{K A G") < I{X^ A G") = 0. 

Then terminal 2 communicates G" in encrypted form as 

F2 = G" + K mod 2 

(all represented in bits), with encryption feasible since 

H{G) = h{5) < 1 - h{5) ^ -H{K), 

n 

by the sufficient condition (fT2] i. Terminal 1 then decrypts F2 using iiT to recover G". The computation 
of g" is secure since 

/(G" A Fi, F2) = /(G" A Fi) + /(G" A F2 I Fi) 

is small; specifically, the first term equals since /(G" A Fi) < /(G" A X^) = 0, while the second 
term is bounded using ( fTsT i according to 

/(G" A F2 I Fi) = H{G^ + K\Fi)- H{G^ + 7^ | Fi, G") 
< H{K) - i/(G" + A' I Fi, G") 4- 5„ 
= /(i^AFi,G") + 5„=5„, 

where the inequality follows by Fano's inequality and the exponential decay of e„ to 0. D 

Next, we turn to the general model for the secure computability of g by a given set ^ C A^ . Again 
in the manner of dlOt . it is clear that a necessary condition is 

H{G) < C{A). 

In contrast, when A $1 Ai, H(G) < C{A) is not sufficient for g to be securely computable by A as 
seen by the following simple example. 

Example 2. Let m = 3, A ~ {1,2} and consider rvs Xi,X2,X3 with Xi = X2, where Xi is 
independent of Xs and H{X3) < H{Xi). Let g be defined by g{xi^ 2:2, 2:3) = 3:3, Xi E Xi, 1 < i < 3. 
Clearly, G({1, 2}) ^ H{Xi). Therefore, H{G) = H{X:i) < G({1, 2}). However, for g to be computed 
by the terminals 1 and 2, its value must be conveyed to them necessarily by public communication from 
terminal 3. Thus, g is not securely computable. D 

Interestingly, the secure computability of g can be examined in terms of a new SK generation 
problem that is formulated next. 

A. Secret Key Aided by Side Information 

We consider an extension of the SK generation problem in Definition 21 which involves additional 
side information Z^, that is correlated with X^^ and is provided to the terminals in A' for use in only 



the recovery stage of SK generation; however, the public communication F remains as in Definition 
[T] Formally, the extension is described in terms of generic rvs {Xi, . . . , Xm, {Zi,i € -4'}), where the 
rvs Zi too take values in finite sets Z^, i in A'. We note that the full force of this extension will not 
be needed to characterize the secure computability of g; an appropriate particularization wiU suffice. 
Nevertheless, this concept is of independent interest. 

Definition 5. A function K of {Um,X''J^, Z'j^,) is an e„- secret key aided by side information Z''\, (e„- 
ASK) for the terminals A! C M., \A'\ > 2, achievable from observations of length n, randomization 
Um and public communication F = F{UmiX^) if it satisfies the conditions in Definition |4] with 
{U^,X^, Zf , F) in the role of (U^,Xl\ F) in condition (i). The corresponding ASK capacity C{A\ Za') 
is defined analogously as in Definition |4] 

In contrast with the omniscience rate of H{Xm) that appears in the passage following Theorem 
[T] now an underlying analogous notion of omniscience will involve total common randomness of rate 
exceeding H{Xm)- Specifically, the enhanced common randomness rate will equal the entropy of the 
"maximum common function" (mcf) of the rvs {Xmi Zi)i,^A, introduced for a pair of rvs in fH (see 
also El Problem 3.4.27]). 

Definition 6. HI For two rvs Q,R with values in finite sets Q^TZ, the equivalence relation q ^ q' 
in Q holds if there exist A^ > 1 and sequences (go,gi, • • • j^Ztv) in Q with go = q, qN = q' and 
(ri,. ..,rN) in 7^ satisfying Pr (Q = qi-i,R = n) > and Pr (Q = g/, i? = n) > 0, Z == 1, . . . ,iV. 
Denote the corresponding equivalence classes in Q by Qi, . . . , Qk- Similarly, let TZi, . . . ,TZk' denote 
the equivalence classes in TZ. As argued in IH, k — k' and for 1 < i,j < k, 

Pr {QeQ^\Re U,) = Pr (i? e 7^J | Q e Q,) = (^' 'Z ''^ 

10, itJ- 

The mcf of the rvs Q, i? is a rv mcf (Q, R) with values in {1, . . . ,k} and pmf 

Pr (mcf (0, R) = t) = Pr (Q £ Q,) = Pr (Q e Q,,R e 7^,) , z = 1, . . . , fc. 

For rvs Qi, ..., Qm taking values in finite alphabets, we define the mcf (Qi, ..., Qm) recursively by 

mcf (Qi, ..., Qm) = mcf (mcf (Qi, ..., Qm-i), Qm) (16) 

with mcf (Qi, Q2) as above. 

Definition 7. With Q" denoting n i.i.d. repetitions of the rv Q, we define 

mcf "(Qi, ..., g,„) = {mcf {Qu, ..., Qmt)}Li ■ (17) 

Note that mcf"(Qi, ..., Qm) is a function of each individual Q", i — 1, ..., m. 
Remark. As justification for the definition dTSI l. consider a rv ^ that satisfies 

H{i\Qi) = Q, z = l,...,m (18) 

and suppose for any other rv ^' satisfying ( fTsb that H{S,) > H{^'). Then Lemma [5] below shows that 
^ must satisfy H{£) = H{mcf{Qi,...,Qm))- 



The following result for the mcf of m > 2 rvs is a simple extension of the classic result for to = 2 
M Theorem 1]. 
Lemma 3. Given < e < 1, if ^^"■' is e-recoverable from Qf for each i = 1, ..., tti, then 



limsup-i/fe^")) <i/(mcf(Qi,...,Q„0). 



(19) 

Proof: The proof involves a recursive application of ifSl, Lemma, Section 4] to mcf (Qi, ..., Qm) in (fT6l l. 
and is provided in Appendix A. 

We are now in a position to characterize ASK capacity. In a manner analogous to Theorem [T] this 
is done in terms of H{mcf{XM, ^j)jg.A') and the smallest rate of communication Rco{-^' i Za') for 
each terminal in A' to attain omniscience that corresponds to n i.i.d. repetitions of mcf {Xji^, Zi)i^A' ■ 
Theorem 4. The ASK capacity C{A'; Z^') equals 

C{M-Za') = H{mcf{{XM,Zi),eA')) - Rco{A';Za') 
where 

RcoiA';ZA')= mill T^ i?,; 

with 

TZiA'; Za') = I Rm ■■ Rb > max H{Xb \ X^e, Zj), B^M,A' '^b\. (20) 

1^ jeB^nA' J 

The proof of Theorem |4] is along the same hnes as that of Theorem [T] |i6i and is provided in 
Appendix B. 

The remark following Theorem [T] also applies to the ASK capacity C{A'; Za'), as will be seen 
from the proof of Theorem |4] 

B. Characterization of Secure Computability 

If g is securely computable by the terminals in A, then G" constitutes an ASK for M under the 
constraint (O, of rate H{G), with side information in the form of G" provided only to the terminals in 
A'^ in the recovery stage of SK generation. Thus, a necessary condition for g to be securely computable 
by A, in the manner of (fTol i. is 

H{G)<C{M;Zm), (21) 

where Zm = Zm{A) = {Zij^^M with 

Z,J«' ^^-^ (22) 

\G, teA'. 
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By particularizing Theorem |4] to the choice of Zm as above, the right side of UaS reduces to 

C{M;Zm)=H(Xm)- Rco {M;Zm) (23) 

where 

Rco{M;Zm)^ min y^ Ri 

with 

\ \h{Xb\Xb.,G), B^M.AQB j 

Our main result says that the necessary condition Eli is tight. 
Theorem 5. A function g is securely computable by AQ AA if 

H{G)<C{M;Zm)- (24) 

Furthermore, under the condition above, g is securely computable with noninteractive communication 
and without recourse to randomization at the terminals in M. 

Conversely, if g is securely computable by AQ M, then H{G) < C{A4; Zj^). 
Remarks, (i) It is easy to see that C{M) < C {M; Zm) = C {M; Zm{A)) < C{A). In particular, the 
second inequality holds since in the context of C {Ai; Zm) the side information for recovery Zm in 
(|22] | is not provided to the terminals in A and by noting that a SK for M is also a SK for A. 
in) Observe in Example 2 that C{M\Zm) = C{M.) = and so, by Theorem |5] g is not securely 
computable as noted earlier. 

Example 3. For the auction example in Section HI -4 = {1, ..., m — 1} and Xi, ..., X,n-i are i.i.d. rvs 
distributed uniformly on {1, ..., k}, while Xm — {Xi, ..., X„i-i). Let gi{xi, ..., Xm) = max Xi and 

l<?'<7n— 1 

g2{xi, ...,Xm) = arg max Xi. Then, straightforward computation yields for k < m — 1 that 

l<i<m—l 

H{Gi) < logfc < H{G2) = \og{m - 1), 

and for both gi , 92 that 

C{M;Zm) = C{M), 

where, by Theorem [T] 

G{M) = H{Xm) - Rco{M) = (m - 1) log fc - (m - 2) log fc = log k. 

By Theorem |5] gi is securely computable whereas 92 is not. In fact, 32 is not securely computable 
by any terminal i € {1,...,™— 1}. This, too, is implied by Theorem |5] upon nothing that for each 
i G {1, ..., m — 1} and a restricted choice A ~ {i}, 

C {M; Zm{A)) = H{X,) = logfc < log(TO - 1) = iJ(G2), 

where the first equality is a consequence of remark (i) following Theorem |5] and remark (ii) after 
Definition g] D 
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C. A Decomposition Result 

The sufficiency condition ( l24b prompts the following two natural questions: Does the difference 
C {M.; Z_m) — H{G) possess an operational significance? If g is securely computable by the terminals 
in A, clearly G" forms a SK for A. Can G" be augmented suitably to form a SK for A of maximum 
achievable rate? 

The answers to both these questions are in the affirmative. In particular, our approach to the second 
question involves a characterization of the minimum rate of communication for omniscience for A, 
under the additional requirement that this communication be independent of G". Specifically, we show 
below that for a securely computable function g, this minimum rate remains Rco{A) (see ^). 

Addressing the first question, we introduce a rv Kg = Kg such that K — {Kg^C^) constitutes 
an e„-ASK for M. with side information Zm as in (|22]) and satisfying the additional requirement 

/(if<,AG")<e„. (25) 

Let the largest rate lim„(l/n) log |/Cg | of such an ASK be C^ {M]Zm)- Observe that since K is 
required to be nearly independent of F, where F is the public communication involved in its formation, 
it follows by ( |25] | that Kg is nearly independent of (G",F). 

Turning to the second question, in the same vein let K' be a rv such that K' — {K' G") constitutes 
an e„-SK for A C M and satisfying ( |25] ). Let C^{A) denote the largest rate of Kg. As noted above. Kg 
will be nearly independent of (G", F'), where F' is the pubhc communication involved in the formation 
of K'. 
Proposition 6. For A C M, it holds that 

(i) C^M;ZM{A))^C{M;ZMiA))-H{G), 
{li) C^iA)^C{A)-H{G). 

Remarks, (i) For the case A ^ M, both (i) and (ii) above reduce to C^iM) = C{M) - H{G). 
(ii) Theorem [T] and Proposition |6](ii) lead to the observation 

H{Xm) = Rco{A) + H{G) + G^(^), 

which admits the following heuristic interpretation. The "total randomness" X"^ that corresponds 
to omniscience decomposes into three "nearly mutually independent" components: a minimum-sized 
communication for omniscience for A and the independent parts of an optimum-rate SK for A composed 
of G" and K'g. 

IV. Proofs of Theorem [5] and Proposition [6] 
A. Proof of Theorem |5] 

The necessity of (I2TI 1 follows by the comments preceding Theorem |5] 

The sufficiency of (l24l i will be established by showing the existence of noninteractive public 
communication comprising source codes that enable omniscience corresponding to X^ at the terminals 
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in A, and thereby the computation of g. Furthermore, the corresponding codewords are selected so as 
to be simuhaneously independent of G", thus assuring security. 

First, from (|24li and (|23]i, there exists S > such that RcoiM;ZM) + S < H{Xm\G), using 
G = g{XM)- For each i and Ri > 0, consider a (map-valued) rv Ji that is uniformly distributed on 
the family Ji of all mappings A"" ^- {1, . . . , [cxp(ni?i)]}, i e M. The rvs Ji, ..., Jm,X^J^ are taken 
to be mutually independent. 

Fix e, e', with e' > yne and e + e' < 1. It follows from the proof of the general source network 
coding theorem fP. Lemma 3.1.13 and Theorem 3.1.14] that for all sufficiently large n, 

Pr [[jM (^Jm-XIj is e„-recoverable from (x",JM\{t} (^Ai\{t}) ' ^I') ,« £ -M}) 

> 1 - e, (26) 

provided Rm = {Ri, ■■■, Rm) G Tl{/A; Zm), where e„ vanishes exponentially rapidly in n. This 
assertion follows exactly as in the proof of ||6] Proposition 1, with A = Ai] but with Xj there equal to 
{Xi, Zi) rather than X^, i e A^. In particular, we shall choose Rj^ G Tl{A4; Zj^) such that 

J2Rr<Rco{M;ZM) + ^- (27) 

Below we shall establish that 

Pr ({JA< eJM-I {3M{Xld A G") > £„}) < e', (28) 

for all n sufficiently large, to which end it suffices to show that 

Pr [{jM ^Jm--I [niXT) A G^\3M\{^} {x^U\{^})) > ^}) < ^, * e X, (29) 

since 

/ (jA4 (^jt,) A G") = ^ / (j- (XD A G" I ji (xr) , . . . , j,„i (xr„o) 

?n 
1=1 

Then it would follow from (l26T l. (l28T l and definition of Z>j in (l2Tl i that 

Prf <^ JA^ e J}w : G" is e„ -recoverable from (^X-\Ja4\{j} (-'^Jvi\{j})) ,i ^ A, 



and /(jA^(XJi,) A G") < e„ | j > 1 - e - e'. 

This shows the existence of a particular realization j» of Jm such that G" is e„-SC from 

{X'^,3M\{^} (^Xf\{.})) for each * e A 

It now remains to prove ( |29] l. Fix i e A^ and note that for each ji G Ji, with ||ji|| denoting the 



13 



cardinality of the (image) set ji{X^), 

< I [mx-) a G'\JM\{^} {x^m\m)) + log m H (MX-)) 

= DiUxr), iG\jMW}{Xliy^,y)\\U,^^xn X {g^\jm\{^} {X'lt\i,})) , (30) 

where the right side above denotes the (Kullback-Leibler) divergence between the joint pmf of 
ji(X"),( G", jjvi\{i} (^A4\fi> ) ) ^nd the product of the uniform pmf on ji{Xp) and the pmf of 
( G^\JM\{i} ( ^A4\|i} ) ) ■ Using 161 Lemma 1], the right side of (|30] | is bounded above further by 

S^rlogM, (31) 

■^var 

where s^ar = Svar{ji{XII^); G^ , j_\4\{i}{X^J^\u\) is the variational distance between the pmfs in the 
divergence above. Therefore, to prove (|29] |. it suffices to show that 



Pr {{jM e Jm ■■ s^,ar {Mxry,G'\jMW} {^MW})) > ^}) < ^, « ^ M, (32) 

on account of the fact that log j|ji(X")j| = 0{n), and the exponential decay to of e„. Defining 

Ji = [jM\{t} e Jm\{i} ■■ X% is e„-recoverable from (^Xf, Ja^\{,} [X']^s^s^^j ' ^'") I ' 
we have by ^ that Pr ijM\{i} e J,) > 1 - e. Thus, in ^, 

Pr (|.7X e Jm ■■ Svar [ji (X") ; G'^,JM\{t} (-''^Ai\{i})) - ~}) 
< e + X! ^^ i-^MMi} = JM\{t}) X 

Pr ({j. e J-. : s,,ar {MXr);G\jMW} (^X.\{.})) ^ ^}) ' 
since J^ is independent of JmMi}- Thus, (|32] |. and hence ( |29] l. will follow upon showing that 



■r ({j. e J, : s,„. (j,(Xr); G", j^\{,} (^Xi\«)) > ^}) < ^ - e, Ja^\W e i., (33) 



for all n sufficiently large. Fix iM\{i\ "= Ji- We take recourse to Lemma |C2l in Appendix C, and set 

V^X-%,,U' ^ X^, V^G",h^ jMW}, and 

for some mapping ipi. By the definition of J, 

Pr{UeUo)>l~en, 

so that condition ( |C2K i) preceding Lemma |C2] is met. Condition (|C2K ii). too, is met since conditioned 
on the events in (IC2b (ii). only those x^ £ Uq can occur that are determined uniquely by their i 



th 
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components x". 
Upon choosing 



d = exp 



niHiXMlG)-- 



in ( IC3l l, the hypotheses of Lemma IC2I are satisfied with A = y^, for an appropriate exponentially 
vanishing e„. Then, by Lemma IC2l with 



[exp[ni?i]] , 



exp 



/eA^\{i} 



and with J; in the role of (f>, we get from ( |C4| i and (|27T i that 

decays to doubly exponentially in n, which proves ( |33T l. This completes the proof of Theorem |5] D 



B. Proof of Proposition |6| 

(i) Since the rv {Kg , G"), with nearly independent components, constitutes an ASK for Jvl with 
side information Zm as in (l22l i. it is clear that 



H{G) + C3 (TW; Zm) < C (7W; Zm) ■ 



(34) 



In order to prove the reverse of ( |34] |. we show that C [M.] Zm) ^ H{G) is an achievable ASK rate 
for Kg that additionally satisfies (l25l l. First, note that in the proof of Theorem |5] the assertions (|26] | 
and (|29] | mean that for all sufficiently large n, there exists a public communication Fm, say, such that 
I{Fm a G") < e„ and X^l, is e„-recoverable from (X",Fa^,Z") for every i e M, with lime„ = 0. 

n 

Fix < r < (5, where 5 is as in the proof of Theorem |5] Apply Lemma IC2I choosing 



(35) 



U^U'=X%, Uo^X'jU, V^G'\ Ii^Fm, d^cxp\ni^H{XM\G)~- 
whereby the hypothesis (IC3b of Lemma IC2I is satisfied for all n sufficiently large. Fixing 

n(Rco{M;ZM) + 



exp 



by Lemma IC2I a randomly chosen of rate 



1 



- logr = H{Xm\G) - Rco {M; Zm)-t^C {M; Zm) - H{G) ~ r 
n 

will yield an ASK Kg = Kg = (p {X^) which is nearly independent of {Fm , G") (and, in particular, 
satisfies ( l25T l) with positive probability, for all n sufficiently large. 

(ii) The proof can be completed as that of part (i) upon showing that for a securely computable g, for 
all r > and n sufficiently large, there exists a public communication F^ that meets the following 
requirements: its rate does not exceed Rco{-A) + r; I{F^ A G") < e„; and X^J^ is e„ -recoverable 
from {Xl\ F'j^) for every i ^ A. To that end, for Rm = (^i, •••, Rm) <= Tl-iM.] Zm) as in the proof 
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of TheoremE] consider i?^ = {R\, ..., i?'„) G ^{A) that satisfies R[ < Ri for alH € A^ and 

i=l 

noting that TZ {Ai; Zm) ^ TliA). Further, for Jm and Jm as in that proof, define a (map- valued) rv 

J[ that is uniformly distributed on the family Jl of all mappings from 

{1, . . . , [cxp(ni?i)]} to {1, . . . , [exp(n_R^)]}, i G M.. The random variables Ji, ..., Jm, 

J{, ..., J^^,X^ are taken to be mutually independent. Define J'^ as the set of mappings jji^ E Jm 

for which there exists a j'j^ E J^ such that X^ is e„-recoverable from 

{X^jj'j^ {JM {^m))) for every i e ^. By the general source network coding theorem [S] Lemma 3.1.13 

and Theorem 3.1.14], applied to the random mapping J^ (Jm), it follows that for all sufficiently large 

n, 

Pr(jA4 e J^) >l-e. 

This, together with ( |26] | and ( |29] ) in the proof of Theorem |5] imply that for a securely computable g 
there exist jm G J7}vi and j^ e J7jj^ for which the public communication F'j^ ~ J'mU-^) satisfies 
the aforementioned requirements. Finally, apply Lemma IC2l with U,U',Uo,V and d as in ( |35] | but with 
h = F^ and 

71 (Rco (A) + J 



exp 



As in the proof above of part (i), a SK K' = ii'g ^ of rate 



'(") 



i logr = Jr(X^ |G) - Rco iA)-T^C (A) - H{G) - r 
n 

which is nearly independent of {F^,G^) (and, hence, satisfies (|25T l) exists for all n sufficiently large. 

D 

V. Discussion 

We obtain simple necessary and sufficient conditions for secure computability involving function 
entropy and ASK capacity. The latter is the largest rate of a SK for a new model in which side information 
is provided for use in only the recovery stage of SK generation. This model could be of independent 
interest. In particular, a function is securely computable if its entropy is less than ASK capacity of an 
associated secrecy model. The difference is shown to correspond to the maximum achievable rate of an 
ASK which is independent of the securely computed function and, together with it, forms an ASK of 
optimum rate. Also, a function that is securely computed by A can be augmented to form a SK for A 
of maximum rate. 

Our results extend to functions defined on a block of symbols affixed length in an obvious manner 
by considering larger alphabets composed of supersymbols of such length. However, they do not cover 
functions of symbols of increasing length (in n). 

In our proof of Theorem |5] g was securely computed from omniscience at all the terminals in 
A ^ A4 that was attained using noninteractive public communication. However, as Example 1 illustrates, 
omniscience is not necessary for the secure computation of g, and it is possible to make do with 
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communication of rate less than Rco i-M ) using an interactive protocol. A related unresolved question 
is: what is the minimum rate of public communication for secure computation? 

A natural generalization of the conditions for secure computability of g hy A ^ Ai given here 
entails a characterization of conditions for the secure computability of multiple functions gi,...,gk by 
Ai, ■■■,Ak of Ai, respectively. This unsolved problem, in general, will not permit omniscience for any 
Ai, i = 1, •••, k. For instance with m ^ 2, Ai = {!}, A2 = {2}, and Xi and X2 being independent, the 
functions gi{xi) — Xi, i ^ I, 2, are securely computable trivially, but not through omniscience since, in 
this example, public communication is forbidden for the secure computation of 51,52- 

Appendix A 

The proof of Lemma [3] is based on IH Lemma, Section 4], which is paraphrased first. Let the rvs 
Q and R take values in the finite set Q and TZ, respectively. For a stochastic matrix W : Q ^ Q, 
let {Vi, ...,2?/} be the ergodic decomposition (into communicating classes) (cf. e.g., |Il2|) of Q based 
on W. Let 2?'-"-' denote a fixed ergodic class of Q" (the n-fold Cartesian product of Q) on the basis 
of W" (the n-fold product of W). Let 2?(") and T?.^") be any (nonempty) subsets of 2?(") and W, 
respectively. 
Lemma GK. Ml? For 2?("),X>("),7^("' as above, assume that 



Pr f g" e P(") I i?" e 7^("M > exp[-ne„], 

Pr (i?" e 7^(") I Q" e p(")) > cxp[-ne„], (AI) 

where linie„ — 0. Then (as stated in |S] bottom of p. 157]), 

n 

Pr (g" e V'^' 



Pr ( g" G 2?(") 



> cxp[-nKe„ log e„], (A2) 



/or a (positive) constant k that depends only on the pmf of {Q,R) and on W. 

A simple consequence of ( IA2b is that for a given ergodic class 2?(") and disjoint subsets V]^' , ..., Vl""' 
of it, and subsets TZ]" , ...jTZf (not necessarily distinct) of 7?.", such that Vi^' ,Tcj?\t' = l,...,i, 
satisfy jAll) . then 

t < exp[nKe„ log^ e„]. (A3) 

Note that the ergodic decomposition of g" on the basis of W^ for the specific choice 

Wiq\q') = Y,PHQ = q\R = r)Pr{R = r\Q = q'), q,q' e Q 

corresponds to the set of values of mcf "(g,i?) defined by ( fTTb fS). Next, pick Q = Q,n, R = 
{Qi, ..., Qm-i), and define the stochastic matrix M^ : Q ^- Q by 

W{q\q') = ^ Pr (g = (? I mcf (gi, ..., Q,n-i) = a)Pr (mcf (gi, ..., g„_i) = a | g = g') , 

a 

q,q'eQ. (A4) 
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The ergodic decomposition of Q" on the basis of W" (with W as in ( IA4I )) will correspond to the set 
of values of mcf"((5i, ..., Q^), recalling ( fT6b . Since ^^"^ is e-recoverable from Q^,i — l,...,m, note 
that 

also is e-recoverable in the same sense, recalling definition [7] This implies the existence of mappings 

^j , i = 1, ..., m, satisfying 

pr (e;^"'(or) = ... = cirHQrn) - e'("') > i - e. (as) 

For each fixed value c = (ci, C2) of ^''■"■', let 

7^i"' = {(9^ ...,C-i) e Qr X ... X Q;J,_i : ef '(gD = c,z = 1, ...,m - l} . 
Let C(e) denote the set of c's such that 

Pr (q" e 2?(") I i?" e 7^(")) > 1 - \/^, 

Pr (i?" e 7^(") I Q" e Pf )) > 1 - V^. (A6) 

Then, as in Is] Proposition 1], it follows from ( IA5l l that 

Pr fe''"' e C(e)) > 1 - 4^/i. (A7) 



Next, we observe for each fixed C2, that the disjoint sets 'Dci'c2 lie in a fixed ergodic class of Q" 
(determined by C2). Since ( IA6b are compatible with the assumption (lAll) for all n sufficiently large, we 
have from ( |A3t that 

||{ci : (ci,C2) e C(e)}|| < exp[nKe„ log^ e„], (A8) 

where k depends on the pmf of {Qi, ..., Qm) and W in ( IA4I ). and where lime„ = 0. Finally, 



n V / n \ 

< H (mcf (Qi, ..., Q™)) + liJ (e("\ 1 (C'(") e C(e)) | mcf "(Qi, ..., Q„)) 



71 

i7(mcf(Qi,...,Q™)) + - 



<iJ(mcf(Qi,...,Q„0) + <5„, 
where lim(5„ = by (IATI i and (lAST l. D 
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Appendix B 

Considering first the achievability part, fix (5 > 0. From the result for a general source network 13] 
Theorem 3.1.14] it follows, as in the proof of (6] Proposition 1], that for Rm G T^ {■A', Zj^i) and all n 
sufficiently large, there exists a noninteractive communication F*^"' = (i^j , ...,Fm ) with 



-log||F(«'||<Vi?, + 5, 

Tl ^ ^ 



i=l 



such that AXi is e„ -recoverable from (Xf , Zf,F(")) ,i (^ M . Therefore, {mcf ((X^^t, ^it)igA')}r=i 
is e„-recoverable from (X", Z", F^")) , i <£ A . The last step takes recourse to Lemma |C2l in Appendix 
C. Specifically, choose C/ = C/' = {mcf ((X^t, Zif)ieA')}r=i' U^ ^ U, V = constant, h = F("), 
d ~ n\H (mcf {{Xmi Zi)i^A')) — <5], whereby the hypothesis ( IC3I ) of Lemma |C2] is satisfied for all n 
sufficiently large. Fixing 



exp 






Lemma IC2l implies the existence of a 0, and thereby an ASK X*^"' = cj) ({mcf {{XMt: ^it)jeA')}"=i)' 
of rate 

-logr^H (mcf {{Xm, Z,),^a')) - V i?» - 3(5. 



In particular, we can choose 



/ , ^t < -Rco (-4'; Zyi' 



Since 6 was arbitrary, this establishes the achievability part. 

We prove the converse part under either of the weaker conditions (|7]i or (O. Let A' = /-C'^"^ (t/>i,X]^, ZJ^^) 
be an e„-ASK for A', achievable using observations of length n, randomization Um, public communi- 
cation F = F (UmiX^) and side information Z^. Then, 



-H{K) < -H{K I F) + e„ 
n n 



(Bl) 



Let K.^^ ~ K {u, XJ^, Z^) denote the random value of the ASK for a fixed Um = u. Since {X^,K) 
is e„ -recoverable from the rvs {Um,X^, Zf) for each i G A' , 

Pum ({" • {Xm,Ku) is ^e^-recoverable from {Um = u,X']^,Zl) for each i ^ A' }) 

(B2) 
Also, for each Um = u 



-H {Xl^,K\UM=u) = -H {Xl^.Ku) 
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by independence of Um and {X^, Z"^), and therefore, by Lemma |3] for u in the set in ( IB2l i. 

-H iX'jUJ< \Um^u)<H (mcf iiXM,Z,),^A')) + Sn, 
n 

for all n sufficiently large and where lim Sn = 0. Then, 



(B3) 



^H{UM,Xli,K) < ^H (Um) + H (mcf {{Xm, Z,),eA')) + Sn + V^log (IXmWZmI) , (B4) 

by ( IB2l i and (IB3I ). The proof is now completed along the lines of [6] Lemma 2 and Theorem 3]. 
Specifically, denoting the set of positive integers {1, ..., 1} by [1, 1], 

1 1 ™ 1 

-H{Um,X2„K) = -iJ(X I F) + ^ i?: + -i/(t/>,), 



i=l 



where 



R^^- E ^(^- I ^[i.-i]) + -^ (f^^'^" I F,A;[/[i,,_ii,Xfi^,_i]) - HiU,). (B5) 



n 

I/:!/— z mod m 

Consider B '^ M, A' (^ B. For j £ yl' n S'', we have 

-h(c/b) + -i/(XB I x^.,z;;) = -h{Ub,x'^ \ c/Be,xs.,z;) 

n n n 

= —H (Fi, ...,Frm,K,UB,Xg I t/Bc,X]i^^, Z") . 

Furthermore, since K is e„ -recoverable from (F, Ub'^jX^c, Z"^) and H{Fi, \ UB^,Xga) = for i' = i 
mod 771 with i G i?"^. 



1 



-H [Fi, ...,Frm,K,UB,Xg I f/Bc,X]|c, Z") 
''™ 1 

= - Vi/(F, I F[i,,_i],;7Be,xs.,z;) + -i/(if I [/b=,xs.,z7,f) 

"I Z_^^ \Ui,X^^ I C/5cn[j+i^,„],Xgcn[i+i,m],-^",F, A, [/[I j_i],X[" j_;^- 



ies 



<-E 

77 ^^ 



^ i/ (F, I F[i,._i]) + i? iu,,X: I F,i^, t/[i,._i],X['} ,_i 



_i.':t'— -i mod m 



e„ log 1^1 + 1 



(B6) 



ieB 
where 



i?.^fi^- + ^"^°g'^' + ^ 'l, 7G^. 
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It foUows from (EB and ^^-^B that 

-H{K) < H (mcf {{XM,Z^)^eA')) - E ^' + f^" + -^^ + '"^"^''^'^^ + V^log (l-^Aill^. 



M\ 
4=1 ^ 

(B7) 
where i?^ € 7^ {A' , Zj^^) from ( |B6t . and therefore 

m 

Y.R.>Rco{A',Za'). (B8) 



i=l 

Then, (|B7l), dill) imply 

n \ n 

The proof is completed using the second part of dH) directly, or the second part of (|7]i in the manner of 
|[51 Theorem 3]. This completes the converse part. D 

Appendix C 

Our proof of achievability in Theorem|4]and sufficiency in Theorem |5] rely on a "balanced coloring 
lemma" in HI; we state below a version of it from i6j . 

Lemma CI. JUJ] Lemma 3.1] Let V be any family of N pmfs on a finite set lA, and let d > be such 
that P ^ V satisfies 

P (L : P{u) > ^\\ < e, (CI) 

for some < e < (1/9). Then the probability that a randomly selected mapping (p : lA ^ {!,..., r} 
fails to satisfy 



E 

i=l 



■Li:0{ii) — i 



<3e, 



simultaneously for each P E V, is less than 2Nr exp ( — ^ ) . 

In contrast to the application of Lemma ICII in ||6] Lemma B.2], our mentioned proofs call for 
a balanced coloring of a set corresponding to a rv that differs from another rv for which probability 
bounds are used. However, both rvs agree with high probability when conditioned on a set of interest. 

Consider rvs U, U', V with values in finite sets U,W , V, respectively, where U' is a function of U, 
and a mapping /i:Z^— >{l,...,r'}. For A > 0, let Uq be a subset of U such that 
(i) Pt{U eUa) > 1-A2; 
(ii) given U e Un, h{U) = j, U' = u', V ~ v, there exists u = u{u') € IAq satisfying 

Pr {U = u\ h{U) ^j,V^v,Ue Uo) =Pr {U' = u \ h{U) = j,V = v, U e Ua) , 

l<j<r',veV. (C2) 



21 



Then the following holds. 

Lemma C2. Let the rvs U,U' ,V and the set Uq be as above. Further, assume that 

1 



Puv {Uu,v):'Pi{U = u\V^v)>^\\< X\ 
Then, a randomly selected mapping : ZY' — > {1, . . . , r} fails to satisfy 



(C3) 






Y^ Pr {U' = u' I h{U) =j,V = v) - - 



u'GW: (p{u')—i 



< 14A, (C4) 



with probability less than 2rr'\V\ exp ( — ^^-^ J for a constant c > 0. 

Proof: Using the condition (i) in the definition of Uq, the left side of ( |C4t is bounded above by 






E 



Y, PriU' = u'\hiU)=j,V = v,UeUo)-- 



u' ^W:(f){u')—i 



Therefore, it is sufficient to prove that 






E 



Y Pr iU' = u I h[U) =j,V = v,UeUo)-- 



u' £U':(f)(u')—i 



< 12A, 
(C5) 



with probability greater than 1 — 2rr'|V| exp ( — ^^^r ) for a constant c > 0. 
Let q = Pv (Iv eV:PT{UeUo\V^v)< ^ j") . Then, since 

l-X^ <Pr{U eUo)< Y Pr [U e Uo\V = v) Pv {v) + (l - q) 

veV:PT{ueUo\v=v}<^^^ 



1 - A2 



we get from the extremities above that 



q< 



3A^ 



(C6) 



For u e Uq and u G V satisfying 



1 _ \2 3 

Pr ([/ G Uo\V ^v)> — - — , Pr {U = u\V = v,U e Uo) > 



d(l-A2)' 



(C7) 
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we have that 



Py(U^u\V^v) > -,. 
a 



Therefore, by (|C6] | and dCST i, it follows that 



c\2 

Y^ PT{U = u,V = v)<X^ + q<—, 

(u.v): uGUo, Pr(U=u\V=v,UeUo)>^^j^:^ 

which is the same as 

Y, 5Zp^ C^iU) = j, F = i;, (7 G Wo) 

53 Pr(C/ = ii|;i(C/)=j,F = «,C/eZ^o)<— . (C8) 

The bound in (|C8t will now play the role of inequality (50), p. 3059] and the remaining steps of 
our proof, which are parallel to those in E Lemma B.2], are provided here for completeness. 
Setting 

D=}{j,v): Yl PT{U^u\hiU)=j,V = v,UeUo)<^y (C9) 

we get that 

Y Pr{h{U)^j,V^v,UeUo)<X. (CIO) 

{j,v)eD'= 

Next, defining 

E = jo; v) : Pr {h{U) =j,V^v,Ue Uo) > ^Pr (F = v, [/ G ZYo)| , (CI 1) 

it holds for (j, v) € i?, 

r' 
Pr ([/ = m|/i(C/) ^j,V^v,Ue Ua) < -Pr ([/ = u\V = v,U e Uq) . (C12) 

A 

Also, 

Y Pr(/i(C/)=j,F = t;,t/€Wo)<^^^Pr(y = i>,t/eZ^o) 
U,v)eE'' j=ivev 

< A. (C13) 

Further, for (j, v) € E, if 

Pr (C/ = u|;i(C/) = J, V^ = u, [/ e Z^o) > ^^.j^'^ ^2) (C14) 
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then from (IC12l i. we have 



Pr{U ^u\V = v,U eUo) > 



d(l-A2)- 
Therefore, recalling the conditions that define Uq in ( IC2t . we have for {j, v) E E O D that 

Y, PriU' ^u'\hiU)^j,V^v,UeUo) 

u'eU': 
Pr{U'=u'\hiU)=j,V=v.,UeUa)>^;j^!^ 

J2 PT{U = u{u')\h{U)^j,V = v,UeUo) 

u'eW: 

Y, Pr{U^u\h{U)^j,V = v,UeUo) 

u€U: 



< 



PT{U=u\h(U)=3,V=v,Ui£Uo)>^^ 

5A 



(C15) 



(C16) 



where second equality is by ( IC2b . and the previous inequality is by ( IC14I ). dClSI ) and ( |C9t . Also, using 
(ICTOl i. dCTSl l. we get 



^ Pr(/i([/) = j,F = u,[/eZio) > 1-2A. 

{j,v)eEnD 



(C17) 



Now, the left side of ( IC5l l is bounded, using ( IC17l i. as 






E 



^ Pr([/' = u'|/i(t/)=j,F = «,C/eZ^o)-- 



"i— 1 u' &A':(p{u')—i 

< 4A + ^ Pr (/i(C/) =j,V^v,Ue Uo) 



{j,v)eEnD 



E 



^ PriU'^u'\hiU)^j,V^v,UeUo)-- 



u' ^14' •.4>{u')^i 



(C18) 



Using dCT6] l, the family of pmfs {Pr ([/' = (^[/^(C^) = J, V ^v,U ^U^), {j, v) e E D} satisfies 
the hypothesis JCll l of Lemma ICT] with d replaced by ^^~., ■* and e replaced by 5A/2; assume that 
< A < 2/45 so as to meet the condition following (IClb . The mentioned family consists of at most 



f'|V| pmfs. Therefore, using Lemma ICTl 
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j=i vev 



E 



^ Pi-iU' = u'\h{U)^j,V^v,UeUa) 

u'GU':4>{u')—i 



with probability greater than 



1 - 2rr' V exp ^ ^— > 1 - 2rr'\V\ cxp 

\ 36rr / 

for a constant c. This completes the proof of dCSb . and thereby the lemma. 



< 
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